Closed
Bug 705873
Opened 13 years ago
Closed 13 years ago
[ObjShrink] "Assertion failure: (jsuint)keyval >= obj->getDenseArrayInitializedLength() || obj->getDenseArrayElement(keyval).isMagic(JS_ARRAY_HOLE),"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: assertion, regression, testcase)
Attachments
(1 file)
1.65 KB,
text/plain
|
Details |
a = [] function f(o) { o[5] = {} } for (var i = 0; i < 20; i++) { with(a) f(a) } asserts js debug shell on JM changeset 5546f57c9567 with -m at Assertion failure: (jsuint)keyval >= obj->getDenseArrayInitializedLength() || obj->getDenseArrayElement(keyval).isMagic(JS_ARRAY_HOLE), Doesn't seem to occur with m-c changeset bc48009a6bbb. autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 80557:13b3669cad6c user: Brian Hackett date: Mon Nov 21 19:20:39 2011 -0500 summary: Dense arrays should have numFixedSlots() == 0, regardless of size class. bug 704348
Comment 1•13 years ago
|
||
Bogus assert. It used to be that dense array inline paths tested the incoming object's class, and if that test passed but another failed then an array hole was being accessed. Now the testing is done based on the object's shape, and dense arrays can have multiple shapes (though the arrays associated with a given parent will almost all have the same shape, except in weird circumstances like the 'with(a)' setting the object's DELEGATE flag. https://hg.mozilla.org/projects/jaegermonkey/rev/c4832f2d9986
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Comment 2•11 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug705873.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•